Even in Test Mode, New Mirai Variant Infecting IoT DevicesResearchers: 'Katana' Features Many Enhancements
A greatly enhanced variant of the powerful Mirai botnet is already infecting IoT devices even though it's operating in a test environment, according to researchers at cybersecurity firm Avira Protection Lab.
Researchers discovered samples of the variant, dubbed "Katana," that have Layer 7 distributed denial-of-service capability, separate encryption keys for each source, fast self-replication and secure connection to its command-and-control servers, Tettang, Germany-based Avira reports.
"Katana contains several features of Mirai," says Alexander Vukevic, director of Avira Protection Labs. "These include running a single instance, a random process name, editing the watchdog to prevent the device from restarting and [distributed denial-of-service] commands."
Katana is infecting hundreds of IoT devices each day, Avira researchers say. The top three devices targeted by the botnet include D-Link's DSL-7740C router, the DOCSIS 3.1 wireless gateway and Dell's PowerConnect 6224 switch.
Avira was also able to determine which command-and-control servers help operate Katana, noting 100cnc[.]r4000[.]net and 1280x1024cnc[.]r4000.net are most often contacted by its operators although these servers are not related to the original Mirai botnet.
The Mirai botnet gained notoriety in 2016 when the malware was used to disrupt domain name server provider Dyn and attack closed-circuit TV cameras primarily in Vietnam, Brazil the United States, China and Mexico (see: Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).
Since that time, the Mirai source code has leaked online, giving other threat actors the ability to tweak the code for their own purposes (see: New Mirai Variant Exploits NAS Device Vulnerability).
Avira researchers discovered the new Katana botnet when the company's honeypots captured a wave of unknown malware binaries. They found the botnet, like Mirai, uses remote code execution and command injection to exploit security vulnerabilities in older Linksys and GPON routers as well as attack IoT devices, according to the report.
"It includes classic Mirai functions, such as running a single instance, random process name and manipulating the watchdog to prevent the device from restarting. Similar to Mirai, it offers various [distributed denial-of-service] commands such as 'attack_app_http' or 'attack_get_opt_int,'" the researchers note.
Avira's analysis found when the botnet runs as a single instance, it binds different ports, such as 53168, 57913, 59690, 62471 and 63749.
Avira's researchers found a page on GitHub saying "Katana HTTP Botnet coming soon."
More to Come
"The problem with new Mirai variants like Katana is that they are offered on the DarkNet or via regular sites like YouTube, allowing inexperienced cybercriminals to create their own botnets," the Avira researchers say.
Allison Nixon, chief research officer at the cyber risk assessment firm Unit 221B, told Information Security Media Group earlier this year that the next mass attack leveraging IoT botnets could be even worse than Mirai (see video: IoT Botnets: Why the Next Mirai Could Be Worse ).